Page MenuHomePhabricator

Security Review of Recommendation API - take #2
Closed, ResolvedPublic


The Recommendation API service will soon enter production, so we would like the Security team to perform a review of the service. This is take #2; after the first review (T148133: Security review for Recommendation API) the service has been rewritten in NodeJS (using the service template) and greatly simplified.

Demo: deployment-sca0[1-4], port 9632 in the deployment-prep project

Event Timeline

@dpatrick Is is possible to get a rough estimate of when you'll be able to work on this? Thanks

@schana, I'm scheduling this to start this week and be completed within two weeks.

Thank you @dpatrick ! For guidance, the parts that are specific to this service are the translation routes and the underlying functionality.

So my only complaint would be, that it appears the source parameter is never validated. It should be checked that the value is sane (e.g. that it matches /^[a-zA-Z]+$/ ). Other than that, looks good.

I'm also not a fan of the way the swagger ui part works by running find and replace regexes over javascript, but its not exploitable as they are static files, and it doesn't have anything to do with this project because its part of the template

Change 366222 had a related patch set uploaded (by Nschaaf; owner: Nschaaf):
[mediawiki/services/recommendation-api@master] Add source parameter validation

Change 366222 merged by Mobrovac:
[mediawiki/services/recommendation-api@master] Add source parameter validation

schana claimed this task.
schana removed a project: User-schana.

The source parameter validation has been merged and deployed.